WIXLIB

internship program to 31 high school cybersecurity students in local companies during thecourse of two summers, and worked extensively with local firms to understand the nature oftheir workforce skills shortages and gaps and then reported those findings publicly for use innew workforce training and academic program development.Perhaps most importantly, the Cyber Prep team has solidified into a passionate group ofworkforce developers who know that the successes they have enjoyed together will help youngpeople in a variety of CTE programs, as the workforce pipeline development process is similaracross many industries and occupations in the region and in Colorado.The Cyber Prep program team is now preparing to integrate into the Chamber/EDCs largerEcosystem Growth Strategy—an economic development strategic plan designed to help retain,grow, and attract cybersecurity firms—in order to continue their work.BackgroundColorado Springs is the most heavily defense-impacted community in Colorado and one of themost heavily impacted in the United States. A 2014 study identified the aerospace and defenseindustry’s direct and indirect impact on the Colorado Springs Metropolitan Statistical Area (MSA)as 44 percent of the economy. The MSA has over 55,800 direct employees associated with themilitary installations of the Fort Carson army post, Schriever Air Force Base, Peterson Air ForceBase, Cheyenne Mountain Air Force Station, and the U.S. Air Force Academy.The region has a sizable defense contractor base—more than 67,000 direct jobs and anadditional 37,000 indirect or induced jobs—are associated with providing services to the militaryposts and contracting with the various branches of the military. Most of these jobs are incommand and control, space and satellite operations, and information technology.As part of a community-wide defense diversification initiative, the Colorado Springs Chamberand Economic Development Corporation (Chamber/EDC) studied local defense contractors withan eye toward those with potential for commercialization, finding that information technologyand aerospace manufacturing were two sectors with promise as both are primary employerssupporting high wages with defense-funded products and technologies that may be readilyadapted for use in commercial markets.The Chamber/EDC research found that 47 percent (118) of the 250 defense companies inColorado Springs provided information technology (IT) services to include network defense anddata storage, and that several of these companies had significant talent and service lines incybersecurity. Thus, the Chamber/EDC decided to aggressively promote cybersecurity as anarea of economic diversification for the region. As a result of its advocacy, Governor JohnHickenlooper declared Colorado Springs as America’s Cyber Capital in December 2015,launching an initiative to focus Colorado’s economic development in cybersecurity in theColorado Springs area.The Governor also helped to launch the National Cybersecurity Center in Colorado Springs,which he envisioned as helping state and local governments better manage their growing needfor cybersecurity products and services. (www.cyber-center.org) Further, the Governor rallied theregion’s higher education providers to create new academic pathways to cultivate a highlyqualified cybersecurity workforce. In response, Pikes Peak Community College (PPCC) leadersagreed to develop a new cybersecurity associate degree program, supplemented by non-creditindustry certification programs that would help to quickly develop a qualified workforce.Western Region RAMPS Final ReportPage 10 of 34

Chamber/EDC leaders approached PPCC leadership in January 2016 about creating a jointapplication for funding from the U.S. Department of Defense Office of Economic AdjustmentIndustry Resilience program to grow the cybersecurity ecosystem in the region. PPCC wouldserve as the fiscal agent and would organize workforce development efforts in cybersecurity.The Chamber/EDC would organize a strategic planning effort to identify the region’s assets incybersecurity, identify barriers to developing a thriving ecosystem based on successfulinitiatives in other parts of the world, and develop an action plan to exploit the assets and breakdown the barriers. The team submitted an application in March 2016 (the CybersecurityEcosystem Growth Plan) that was awarded in April 2017 and started in June 2017.Next, the Chamber/EDC held a summit in Colorado Springs in May 2016, bringing togethermore than 250 cybersecurity experts, educators, and defense industry leaders to discuss theregion’s potential to develop its cybersecurity economy. The biggest barrier to successuncovered at the summit was the dearth of labor, a nationwide challenge magnified locally bythe high concentration of defense contractors. If the region were to pursue diversification andexpansion in cybersecurity, workforce development needed to top the to-do list.An informal result of the summit was the strengthening of a network of cyber educators whorecognized the need to align their efforts at program development and expansion. This informalcoalition included representatives from several local school districts and Pikes Peak CommunityCollege, and was encouraged by a handful of industry leaders who were already supportinglocal educational programs.In June 2016, this group formalized its network into an application to the National Initiative forCybersecurity Education (NICE) to serve as one of several regional partnerships around thenation to accelerate workforce development. This NICE initiative, called the Regional Alliancesand Multistakeholder Partnerships to Stimulate (RAMPS) Cybersecurity Education, wasdesigned to help regions solve their workforce shortages by developing education programs thatworked. In the Colorado Springs area, the network agreed to use the Chamber/EDC EcosystemGrowth Plan as the foundational planning tool for organizing stakeholders for the RAMPSproject.More specifically, the team agreed to focus the RAMPS application on developing multipleways to introduce teenagers to careers in cybersecurity. Called Cyber Prep, the programwould allow PPCC and its current workforce development collaborators to establish a formal,sustainable partnership between secondary school districts, employers, and the College to:1. build cybersecurity workforce development pathways to address local workforce needs,complement an emerging IT career pathway in Colorado, and align with the NICEStrategic Plan,2. develop and nurture cybersecurity programs in area high schools and in the PPCC AreaVocational Program that articulate to the PPCC cybersecurity degree;3. create and pilot a summer cyber work experience through job shadowing and/orinternship programs for area high school students; and4. explore registered apprenticeships as a way to ensure a sustainable cyber workforce forthe future.In October 2016, Pikes Peak Community College was awarded a grant by the U.S. Departmentof Commerce as the Western Regional RAMPS grantee, one of five regional alliances aroundthe nation. The initial team of Cyber Prep members recruited others, and the core team grew to17 members, while the number of active participants grew to a total of 45.Western Region RAMPS Final ReportPage 11 of 34

In order to capture the effects of Cyber Prep on the region’s ability to attract youth into careers incybersecurity, the next section of this report summarizes the state of education programs,workforce needs, and internships prior to the RAMPS award.Workforce NeedsIn 2016, the Chamber/EDC staff identified 96 companies providing cybersecurity services orrelated training and instruction in the Colorado Springs MSA, most of them in defense-relatedareas. This company asset map was used to invite companies to the initial summit and toparticipate in a survey to find out more about their capabilities and concerns. See Appendix Afor the asset map, produced as part of the Chamber/EDC’s first marketing brochure aboutcybersecurity.PPCC staff used the asset map to identify companies hiring locally for cybersecurity positions.Of the 96 companies on the map, 59 were hiring locally, and 36 had available cybersecuritypositions. The college team researched 81 positions at these 36 companies, examining the levelof security clearance cited and the certification and/or degree requirements. This allowed theteam to determine the skills, knowledge, and abilities required for the full range of openpositions available in the region. This analysis, the May 2016 Cybersecurity Position Analysis,also helped PPCC faculty and advisory board members to shape its new degree program.At the same time, the College commissioned a larger labor market study from the region’s localeconomic forum director, Dr. Tatiana Bailey, to include an employer survey of workforce needsthat would include an in-depth look at the skills, knowledge, and abilities employers sought incybersecurity positions. This study did not conclude until well into the RAMPS project as mostemployers were reluctant to complete it. These results are examined later in the report(Appendix B).For the 81 open positions studied, the following attributes were found (see Glossary for allacronyms): Clearance Requirementso 32 required no clearance or a Secret clearance (the lowest level of clearance)o 38 required a Top Secret clearance with Sensitive Compartmented Information(SCI) access and an additional eight required a Top Secret clearanceo Three required the highest level of clearances availableDegree Requirementso Seven positions required an Associate degree and an additional one preferred atleast an Associate degreeo 48 positions required a Bachelor’s degree or higher and an additional 16preferred at least a Bachelor’s degreeCertification Requirementso 31 required the CISSPo 27 required Security o 17 required CASP CEo 14 required the IAT IIIo Many positions required a handful of other certifications, usually as a “preferred”attributeExperienceo Two required at least one year of experienceo 21 required 2-5 years of experienceo 27 required 6-9 years of experienceWestern Region RAMPS Final ReportPage 12 of 34

oo15 required 10 or more years of experience16 did not specify experience as a requirementBy June 2018, the Chamber/EDC had completed the Cybersecurity Ecosystem Growth Planand had updated the cybersecurity asset map. The new map lists 128 cybersecurity-relatedcompanies and the Plan concludes:The Colorado Springs cybersecurity industry has a disproportionate impact onthe city’s economy: approximately 3,000 cybersecurity workers have a 530million direct economic impact. The cybersecurity industry also supports anadditional three thousand jobs in adjacent industries and via the spending ofthe city’s cybersecurity workers for a total employment impact of 6,000 jobs inColorado Springs. Altogether, the cybersecurity industry has a 915 millioneconomic impact on Colorado Springs. So, despite the fact that the industry’stotal workforce impact of six thousand jobs makes up only 1.4% of the city’stotal workforce, it is responsible for 2.7% of the total economic impact ofColorado Springs.Secondary and Post-Secondary Education OpportunitiesCollege and University ProgramsFormal cybersecurity education programs at the bachelor’s, master’s, and Ph.D. level haveexisted in the Pikes Peak region of Colorado for over a decade. In fact, save for the areasurrounding Washington, D.C., Colorado had the highest concentration of Center of AcademicExcellence (CAE4Y) colleges and universities in the nation in 2015 as indicated in Table 1.These programs reported enrollment and graduation rates of fewer than 10 students apiece inAcademic Year (AY) 2015, so local hiring managers were recruiting talent from one another andcompeting nationally to attract qualified workers. Since AY2015, these college and universityprograms have remained flat, though several have launched initiatives in the last AcademicYear to boost enrollment.The University of Colorado Colorado Springs (UCCS) received a 5.4 million appropriation fromthe Colorado Legislature in May 2018 to develop cybersecurity research and educationprograms, allowing the university to hire new faculty. Additional funding from the samelegislation is assisting Metro State University, Colorado State University, and Western StateUniversity as well as PPCC to develop cybersecurity offerings over the next three years.Pikes Peak Community College ProgramsIn response to outreach by federal agencies as well as the Colorado Congressional delegationcalling on Colorado’s community colleges to respond to the urgent and growing need for aqualified cybersecurity workforce, PPCC faculty had developed a Cybersecurity Certificate aspart of its Computer Networking Technology (CNG) Degree in Academic Year (AY) 2013 andbegan offering the program the following fall semester (AY2014). However, the College lost itsonly certified cybersecurity instructor later that year to a higher paying job in industry, and theprogram was dormant until AY2016, when the College found faculty credentialed to teach thehigher level courses. Seven students graduated with this certificate by AY2017.The Cybersecurity Certificate program provides students with foundational knowledge ofsecurity threats, risks, and mitigation. Beginning with its fall 2015 meeting, industry members ofthe PPCC Computing Advisory Board began requesting more cybersecurity-focusedWestern Region RAMPS Final ReportPage 13 of 34

coursework based upon the increasing number and complexity of the security threats theyfaced. The additional data reported in the May 2016 Cybersecurity Position Analysis allowed theCollege to solidify plans to offer a Cybersecurity Associate of Applied Science (AAS) degree,which was presented to the Computing Advisory Board in August 2016.Table 1. Centers of Academic Excellence in Colorado 2015InstitutionDesignationCredentials OfferedUniversity of ColoradoColorado SpringsCAE-IAE, CAECDE 4YCertificate in Information AssuranceCertificate in Secure Software SystemsColorado State University– PuebloCAE-CDE 4YB.S. (Computer Security)Colorado TechnicalUniversityCAE-CDE 4YB.S. (Cybercrime and Security)B.S. (Cybercrime Investigation)M.S. (Cybersecurity Policy)M.S. (Homeland Security)University of DenverCAE-CDE 4YM.S. (Cybersecurity)Regis UniversityCAE-IAE 4YGraduate Certificate (Cybersecurity)Graduate Certificate (Information Assurance)United States Air ForceAcademyCAE-CDE 4YB.S. Computer ScienceB.S. Cyber ScienceColorado School ofMinesCAE-CDE 4YCertificate (Cyber Defense Education)Source: CAE Community, last updated 2016, https://www.caecommunity.org/.As a result of the community’s focus on cybersecurity, and due to Colorado Springs’ designationas the state’s hub for economic growth in cybersecurity, PPCC President Dr. Lance Boltondeveloped and launched a College-wide Cybersecurity Initiative in April 2016 designed to:1. speed development of the Cybersecurity AAS degree, to include developing thenecessary curriculum and labs to ramp up a large program quickly;2. apply for Cybersecurity Center of Academic Excellence for Two-Year Schools’ (CAE2Y)designation from the US Department of Homeland Security and the National SecurityAgency;3. recruit, hire, train and retain qualified Cybersecurity faculty; and4. participate actively in community efforts to develop and implement the CybersecurityEcosystem Growth Plan for the region.PPCC hired Cybersecurity Director Gretchen Bliss in May 2016 to begin work on theseinitiatives under the PPCC Workforce Development Division. This allowed the college to beginresearching the cybersecurity skills gap, understand employer needs, and explore possibledegree programs and career pathways that would need to be developed, giving the college ahead start in getting organized for the launch of the Chamber/EDC Ecosystem Growth Planningprocess that would begin the following year.Western Region RAMPS Final ReportPage 14

CASP CE CompTIA Advanced Security Practitioner Continuing Education CCCS Colorado Community College System CDE Colorado Department of Education CDLE Colorado Department of Labor an d Employment Chamber/EDC Colorado Springs Chamber and Economic Development Corporation CISSP Certified Information Systems Security Professional .